Category Archives: Mobile Application Security

Leveraging Multiple Environments: Enhancing Application Security through Dev, Test, and Production Segregation

Posted on by
Reply

 

Application security has never been more critical, as cyber threats loom large over every piece of software. To safeguard applications, segregation of development, testing, and production environments has emerged as a crucial strategy. This practice not only improves security measures but also streamlines processes, effectively mitigating risks.

Nodes

To fully grasp the role of environment segregation, one must first understand Application Security (AppSec) and the common vulnerabilities in app development. Properly segregating environments aids in risk mitigation, adopts enhanced security practices, and aligns with secure software development life cycles. It involves distinct setups for development, testing, and production to ensure each stage operates securely and efficiently.

This article delves into the importance of segregating development environments to elevate application security. From understanding secure practices to exploring security frameworks and testing tools, we will uncover how this strategic segregation upholds compliance and regulatory requirements. Embark on a journey to making application security an integral part of your development process with environment segregation.

Importance of Environment Segregation in AppSec

Separating development, test, and production environments is essential for application security (AppSec). This practice prevents data exposure and unauthorized access, as emphasized by ISO 27002 Control 8.31. Failing to segregate these environments can harm the availability, confidentiality, and integrity of information assets.

To maintain security, it’s vital to implement proper procedures and controls. Here’s why:

  1. Confidentiality: Environment segregation keeps sensitive information hidden. For instance, the Uber code repository incident showed the dangers of accidental exposure.
  2. Integrity: Segmenting environments prevents unauthorized changes to data.
  3. Availability: Proper segregation ensures that environments remain operational and secure from threats.

Table of Environment Segregation Benefits:

Environment

Key Security Measure

Benefit

Development

Access controls

Prevents unauthorized access

Test

Authorization controls

Validates security measures

Production

Extra layer security

Protects against breaches

Using authorization controls and access restrictions ensures the secure separation of these environments. By following these best practices, you can safeguard your software development project from potential security threats.

Overview of Application Security (AppSec)

Application Security (AppSec) is essential for protecting an application’s code and data from cyber threats. It is a meticulous process that begins at the design phase and continues through the entire software development lifecycle. AppSec employs strategies like secure coding, threat modeling, and security testing to ensure that applications remain secure. By focusing on confidentiality, integrity, and availability, AppSec helps defend against vulnerabilities such as identification failures and server-side request forgery. A solid AppSec plan relies on continuous strategies, including automated security scanning. Proper application security starts with understanding potential risks through thorough threat assessments. These evaluations guide developers in prioritizing defense efforts to protect applications from common threats.

Definition and Purpose

The ISO 27002:2022 Control 8.31 standard focuses on separating different environments to reduce security risks. The main goal is to protect sensitive data by keeping development, test, and production areas distinct. This segregation ensures that the confidentiality, integrity, and availability of information assets are maintained. By following this control, organizations can avoid issues like unauthorized access and data exposure. It not only supports security best practices but also helps companies adhere to compliance requirements. Proper environment separation involves implementing robust procedures and policies to maintain security throughout the software development lifecycle. Protecting these environments is crucial for avoiding potential losses and maintaining a strong security posture.

Common Risks in Application Development

Developing applications involves dealing with several common risks. One significant concern is third-party vulnerabilities found in libraries and components. These vulnerabilities can compromise an application’s security if exploited. Code tampering is another risk where unauthorized individuals make changes to the software. This emphasizes the importance of access controls and version tracking to mitigate potential security flaws. Configuration errors also pose a threat during software deployment. These errors can arise from improper settings, leading to vulnerabilities that can be exploited. Using the Common Weakness Enumeration (CWE) helps developers identify and address critical software weaknesses. Regular monitoring of development endpoints helps detect vulnerabilities early. This proactive approach ensures the overall security posture remains strong and robust throughout the software development process.

Understanding Environment Segregation

Environment segregation is vital for maintaining the security and integrity of applications. According to ISO 27002 Control 8.31, keeping development, testing, and production environments separate helps prevent unauthorized access and protects data integrity and confidentiality. Without proper segregation, companies risk exposing sensitive data, as seen in past incidents. A preventive approach involves strict procedures and technical controls to maintain a clear division between these stages. This ensures that sensitive information assets remain confidential, are not tampered with, and are available to authorized users throughout the application’s lifecycle. By implementing these best practices, organizations can maintain a strong security posture.

Development Environments

Development environments are where software developers can experiment and make frequent changes. This flexibility is essential for creativity and innovation, but it carries potential security risks. Without proper security controls, these environments could be vulnerable to unauthorized access and data exposure. Effective segregation from test and production environments is crucial. Incorporating security processes early in the Software Development Lifecycle (SDLC) helps avoid security bottlenecks. Implementing strong authentication and access controls ensures data confidentiality and integrity. A secure development environment protects against potential vulnerabilities and unauthorized access, maintaining the confidentiality and availability of sensitive information.

Test Environments

Test environments play a crucial role in ensuring that any changes made during development do not cause issues in the production environment. By isolating testing from production through network segmentation, organizations can avoid potential vulnerabilities from spilling over. Security measures in test environments should be as strict as those in production. Regular security audits and penetration testing help identify weaknesses early. Integrating security testing tools allows for better tracking and management of potential security threats. By ensuring that security checks are in place, organizations can prevent potential production problems, safeguarding sensitive information from unauthorized access and suspicious activity.

Production Environments

Production environments require tight controls to ensure stability and security for end-users. Limiting the use of production software in non-production environments reduces the risk of unauthorized access to critical systems. Access to production should be limited to authorized personnel to prevent potential threats from malicious actors. Monitoring and logging systems provide insights into potential security incidents, enabling early detection and quick action. Continuous monitoring helps identify any unnecessary access privileges, strengthening security measures. By maintaining a strong security posture, production environments protect sensitive information, ensuring the application’s integrity and availability are upheld.

Benefits of Environment Segregation

Environment segregation is a cornerstone of application security best practices. By separating development, test, and production environments, organizations can prevent unauthorized access to sensitive data. Only authorized users have access to each environment, which reduces the risk of security issues. This segregation approach helps maintain the integrity and security of information. By having strict segregation policies, organizations can avoid accidental publication of sensitive information. Segmentation minimizes the impact of breaches, ensuring that a security issue in one environment does not affect others. Effective segregation also supports compliance with standards like ISO 27002. Organizations adhering to these standards enhance their security posture by following best practices in data protection.

Risk Mitigation

Thorough environment isolation is vital for risk mitigation. Separate test, staging, and production environments prevent data leaks and ensure that untested code is not deployed. A robust monitoring system tracks software performance, helping identify potential vulnerabilities early. Continuous threat modeling assesses potential threats, allowing teams to prioritize security measures throughout the software development lifecycle. Implementing access controls and encryption further protects applications from potential security threats. Integrating Software Composition Analysis (SCA) tools identifies and monitors vulnerabilities in third-party components. This proactive approach aids in managing risks associated with open-source libraries, allowing development teams to maintain a strong security posture throughout the project.

Enhanced Security Practices

Incorporating security into every phase of the development lifecycle is crucial. This approach helps identify and mitigate common vulnerabilities early, reducing the likelihood of breaches. MobiDev emphasizes the importance of this integration for long-term security. Regular security audits and penetration testing are essential to keep software products secure. These practices identify misconfigurations and potential security flaws. A Secure Software Development Life Cycle (SSDLC) encompasses security controls at every stage. From requirement gathering to operation, SSDLC ensures secure application development. AI technologies further enhance security by automating threat detection and response. They identify patterns indicating potential threats, improving response times. Continuous monitoring of access usage ensures only authorized personnel have access, enhancing overall security.

Secure Development Practices

Establishing secure development practices is vital for protecting software against threats. This involves using a well-planned approach to keep development, test, and production environments separate. By doing this, you help safeguard sensitive data and maintain a strong security posture. Implementing multi-factor authentication (MFA) further prevents unauthorized access. Development teams need to adopt a continuous application security approach. This includes secure coding, threat modeling, security testing, and encrypting data to mitigate vulnerabilities. By consistently applying these practices, you can better protect your software product and its users against potential security threats.

Overview of Secure Software Development Lifecycle (SSDLC)

The Secure Software Development Lifecycle (SSDLC) is a process that integrates security measures into every phase of software development. Unlike the traditional Software Development Life Cycle (SDLC), the SSDLC focuses on contemporary security challenges. It begins with requirements gathering and continues through design, implementation, testing, deployment, and maintenance. By embedding security checks and threat modeling, SSDLC aims to prevent security flaws early on. For development teams, understanding the SSDLC is crucial. It aids in reducing potential vulnerabilities and protecting against data breaches.

Code Tampering Prevention

Preventing code tampering is essential for maintaining the integrity of your software. One way to achieve this is through strict access controls, which block unauthorized individuals from altering the source code. Using version control systems is another effective measure. These systems track changes to the code, making it easier to spot unauthorized modifications. Such practices are vital because code tampering can introduce vulnerabilities or bugs. By monitoring software code and maintaining logs of changes, development teams can ensure accountability. Together, these steps help in minimizing potential threats and maintaining secure software.

Configuration Management

Configuration management is key to ensuring your system remains secure against evolving threats. It starts with establishing a standard, secure setup. This setup serves as a baseline, compliant with industry best practices. Regular audits help in maintaining adherence to this baseline and in identifying deviations promptly. Effective configuration management includes disabling unnecessary features and securing default settings. Regular updates and patches are also crucial. These efforts help in addressing potential vulnerabilities, thereby enhancing the security of your software product. A robust configuration management process ensures your system is resilient against security threats.

Access Control Implementation

Access control is a central component of safeguarding sensitive systems and data. By applying the principle of least privilege, you ensure that users and applications access only the data they need. This minimizes the risk of unauthorized access. Role-based access control (RBAC) streamlines permission management by assigning roles with specific privileges. This makes managing access across environments simpler for the development team. Regular audits further ensure that access controls are up-to-date and effective. Implementing Multi-Factor Authentication (MFA) enhances security by requiring multiple forms of identification. Monitoring access and reviewing controls aids in detecting suspicious activity. Together, these measures enhance your security posture by protecting against unauthorized access and potential vulnerabilities.

Best Practices for Environment Segregation

Creating separate environments for development, testing, and production is crucial for application security. This separation helps mitigate potential security issues by allowing teams to address them before they impact the live environment. The development environment is where new features are built. The test or staging environments allow for these features to be tested and bugs to be squashed. This ensures any changes won’t disrupt the live application. Proper segregation also enables adequate code reviews and security checks to catch potential vulnerabilities. To further secure these environments, employing strong authentication and access controls is critical. This reduces the risk of unauthorized access. By maintaining parity between staging and production environments, organizations can prevent testing discrepancies. This approach ensures smoother deployments and increases the overall security posture of the software product.

Continuous Monitoring

Continuous monitoring is a key part of maintaining secure environments. It provides real-time surveillance to detect potential threats swiftly. Implementing a Security Information and Event Management (SIEM) tool helps by collecting and analyzing logs for suspicious activity. This allows development teams to respond quickly to anomalies which might indicate a security issue. By continuously logging and monitoring systems, organizations can detect unauthorized access attempts and potential vulnerabilities. This early detection is vital in protecting against common vulnerabilities and securing environment variables and source code. As infrastructure changes can impact security, having an automated system to track these changes is essential. Continuous monitoring offers an extra layer of protection, ensuring that potential threats are caught before they can cause harm.

Regular Security Audits

Regular security audits are crucial for ensuring that systems adhere to the best security practices. These audits examine the development and production environments for vulnerabilities such as outdated libraries and misconfigurations. By identifying overly permissive access controls, organizations can tighten security measures. Security audits usually involve both internal assessments and external evaluations. Techniques like penetration testing and vulnerability scanning are commonly used. Conducting these audits on a regular basis helps maintain effective security measures. It also ensures compliance with evolving security standards. By uncovering potential security flaws, audits play a significant role in preventing unauthorized access and reducing potential security threats. In the software development lifecycle, regular audits help in maintaining a secure development environment by identifying new vulnerabilities early.

Integrating Security in the DevOps Pipeline

Integrating security within the DevOps pipeline, often referred to as DevSecOps, is vital for aligning security with rapid software development. This integration ensures that security is an intrinsic part of the software development lifecycle. A ‘shift everywhere’ approach embeds security measures both in the Integrated Developer Environment (IDE) and CI/CD pipelines. This allows vulnerabilities to be addressed long before reaching production environments. Automation of security processes within CI/CD pipelines reduces friction and ensures quicker identification of security issues. Utilizing AI technologies can enhance threat detection and automate testing, thus accelerating response times. A shift-left strategy incorporates security checks early in the development process. This helps in precise release planning by maintaining secure coding standards from the beginning. This proactive approach not only lowers risks but strengthens the overall security posture of a software development project.

Frameworks and Guidelines for Security

Application security is crucial for protecting software products from potential threats and vulnerabilities. Organizations rely on various frameworks and guidelines to maintain a robust security posture. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is one such framework. It categorizes risk management into five key functions: Identify, Protect, Detect, Respond, and Recover. Another important standard is ISO/IEC 27001, which ensures the confidentiality, integrity, and access control of security information. Applying a secure software development lifecycle can significantly decrease the risk of exploitable vulnerabilities. Integrating security tools and processes throughout the development lifecycle shields software from evolving cyber threats. Additionally, following the Open Web Application Security Project (OWASP) recommendations helps strengthen security practices in web applications.

ISO 27002:2022 Control 8.31

ISO 27002:2022 Control 8.31 emphasizes the strict segregation of development, test, and production environments. This practice is vital for minimizing security issues and protecting sensitive data from unauthorized access. Proper segregation helps maintain the confidentiality, integrity, and availability of information assets. By enforcing authorization controls and access restrictions, organizations can prevent data exposure and potential vulnerabilities.

Ensuring these environments are separate supports the development team in conducting thorough security checks and code reviews without affecting the production environment. It also helps software developers to identify and address potential security threats during the application development phase. A clear distinction between these environments safeguards the software development lifecycle from common vulnerabilities.

Moreover, the implementation of Control 8.31 as guided by ISO 27002:2022 secures organizational environments. This measure protects sensitive information from unauthorized disclosure, ensuring that security controls are effectively maintained. Adhering to such standards fortifies the security measures, creating an extra layer of defense against suspicious activity and potential threats. Overall, following these guidelines strengthens an organization’s security posture and ensures the safe deployment of software products.

Implementing Security Testing Tools

To maintain application security, it’s important to use the right testing tools. Static Application Security Testing (SAST) helps developers find security flaws early in the development process. This means weaknesses can be fixed before they become bigger issues. Dynamic Application Security Testing (DAST) analyzes applications in real-time in production environments, checking for vulnerabilities that could be exploited by cyberattacks. Interactive Application Security Testing (IAST) combines both static and dynamic methods to give a more comprehensive evaluation. By regularly using these tools, both manually and automatically, developers can identify potential vulnerabilities and apply effective remediation strategies. This layered approach helps in maintaining a strong security posture throughout the software development lifecycle.

Tools for Development Environments

In a development environment, using the right security controls is crucial. SAST tools work well here as they scan the source code to spot security weaknesses. This early detection is key in preventing future issues. Software Composition Analysis (SCA) tools also play an important role by keeping track of third-party components. These inventories help identify potential vulnerabilities. Configuring security tools to generate artifacts is beneficial, enabling quick responses to threats. Threat modeling tools are useful during the design phase, identifying security threats early on. The development team then gains insights into potential vulnerabilities before they become a problem. By employing these security measures, the development environment becomes a fortified area against suspicious activity and unauthorized access.

Tools for Testing Environments

Testing environments can reveal vulnerabilities that might not be obvious during development. Dynamic Application Security Testing (DAST) sends unexpected inputs to applications to find security weaknesses. Tools like OWASP ZAP automate repetitive security checks, streamlining the testing process. SAST tools assist developers by spotting and fixing security issues in the code before it goes live. Interactive Application Security Testing (IAST) aggregates data from SAST and DAST, delivering precise insights across any development stage. Manual testing with tools like Burp Suite and Postman allows developers to interact directly with APIs, uncovering potential security threats. Combining these methods ensures that a testing environment is well equipped to handle any potential vulnerabilities.

Tools for Production Environments

In production environments, security is critical, as this is where software interacts with real users. DAST tools offer real-time vulnerability analysis, key to preventing runtime errors and cyberattacks. IAST provides comprehensive security assessments by integrating static and dynamic methods. This helps in real-time monitoring and immediate threat detection. Run-time Application Security Protection (RASP) is another layer that automates incident responses, such as alerting security teams about potential threats. Monitoring and auditing privileged access prevent unauthorized access, reducing risks of malicious activities. Security systems like firewalls and intrusion prevention systems create a robust defense. Continuous testing in production is crucial to keep software secure. These efforts combine to safeguard against potential security threats, ensuring the software product remains trustworthy and secure.

Compliance and Regulatory Standards

In today’s digital landscape, adhering to compliance regulations like GDPR, HIPAA, and PCI DSS is crucial for maintaining strong security frameworks. These regulations ensure that software development processes integrate security from the ground up. By embedding necessary security measures throughout the software development lifecycle, organizations can align themselves with these important standards. This approach not only safeguards sensitive data but also builds trust with users. For organizations to stay compliant, it’s vital to stay informed about these regulations. Implementing continuous security testing is key to protecting applications, especially in production environments. By doing so, businesses can meet compliance standards and fend off potential threats.

Ensuring Compliance Through Segregation

Segregating environments is a key strategy in maintaining compliance and enhancing security. Control 8.31 mandates secure separation of development, testing, and production environments to prevent issues. This control involves collaboration between the chief information security officer and the development team. Together, they ensure the separation protocols are followed diligently.

Maintaining effective segregation requires using separate virtual and physical setups for production. This limits unauthorized access and potential security flaws in the software product. Organisations must establish approved testing protocols prior to any production environment activity. This ensures that potential security threats are identified before they become problematic.

Documenting rules and authorization procedures for software use post-development is crucial. By following these guidelines, organizations can meet Control 8.31 compliance. This helps in reinforcing their application security and enhancing overall security posture. It also aids in avoiding regulatory issues, ensuring smooth operations.

Meeting Regulatory Requirements

Understanding regulations like GDPR, HIPAA, and PCI DSS is essential for application security compliance. Familiarizing yourself with these standards helps organizations incorporate necessary security measures. Regular audits play a vital role in verifying compliance. They help identify security gaps and address them promptly to maintain conformity with established guidelines.

Leveraging a Secure Software Development Lifecycle (SSDLC) is crucial. SSDLC integrates security checks throughout the software development process, aiding compliance efforts. Continuous integration and deployment (CI/CD) should include automated security testing. This prevents potential vulnerabilities from causing non-compliance issues.

Meeting these regulatory requirements reduces legal risks and enhances application safety. It provides a framework that evolves with the continuously shifting landscape of cyber threats. Organizations that prioritize these security practices strengthen their defenses and keep applications secure and reliable. By doing so, they not only protect sensitive data but also foster user trust.

Seeking Expertise: Getting More Information and Help from MicroSolved, Inc.

Navigating the complex landscape of application security can be challenging. For organizations looking for expert guidance and tailored solutions, collaborating with a seasoned security partner like MicroSolved, Inc. can be invaluable.

Why Consider MicroSolved, Inc.?

MicroSolved, Inc. brings in-depth knowledge and years of experience in application security, making us a reliable partner in safeguarding your digital assets. Our team of experts stay at the forefront of security trends and emerging threats, offering insights and solutions that are both innovative and practical.

Services Offered by MicroSolved, Inc.

MicroSolved, Inc. provides a comprehensive range of services designed to enhance your application security posture:

  • Security Assessments and Audits: Thorough evaluations to identify vulnerabilities and compliance gaps.
  • Incident Response Planning: Strategies to efficiently manage and mitigate security breaches.
  • Training and Workshops: Programs aimed at elevating your team’s security awareness and skills.

Getting Started with MicroSolved, Inc.

Engaging with MicroSolved is straightforward. We work closely with your team to understand your unique security needs and provide customized strategies. Whether you’re just beginning to establish multiple environments for security purposes or seeking advanced security solutions, MicroSolved, Inc. can provide the support you need.

For more information or to schedule a consultation, visit our official website (microsolved.com) or contact us directly (info@microsolved.com / +1.614.351.1237). With our assistance, your organization can reinforce its application security, ensuring robust protection against today’s most sophisticated threats.

 

 

* AI tools were used as a research assistant for this content.

Unlocking the Power of Application Assessments with the MSI Testing Lab

Posted on by
Reply

Secure software isn’t just a best practice—it’s a business imperative. At MSI, our Testing Lab provides a comprehensive suite of application assessment services designed to ensure that your software, whether developed in-house or acquired, stands up to real-world threats and compliance demands.

AppSec

Why Application Assessments Matter

Application assessments are essential for understanding the security posture of your software assets. They help identify vulnerabilities before they’re exploited, validate secure development practices, and support regulatory and governance frameworks like the NCUA, FFIEC, CIS Controls, and more.

Core Use Cases for Application Assessments

  • Pre-deployment Assurance: Ensure new applications are secure before going live with code reviews, dynamic/static analysis, and penetration testing.
  • Regulatory and Compliance Support: Demonstrate alignment with frameworks such as FFIEC, NCUA SCUEP, GDPR, and CIS Control 16.
  • Third-party Risk Management: Test vendor-supplied or outsourced software for inherited vulnerabilities.
  • Incident Preparedness and Response: Identify post-incident exposure and harden application defenses.
  • DevSecOps Integration: Embed security testing into your CI/CD pipeline for continuous assurance.

Services We Offer

  • Application Penetration Testing
  • Secure Code Review
  • Threat Modeling & Architecture Reviews
  • Compliance Mapping & Gap Analysis
  • Red Team Simulation

Why MSI?

With decades of experience in application security, risk management, and compliance, MSI’s Testing Lab isn’t just checking boxes—we’re helping you build and maintain trust. Our experts align technical results with strategic business outcomes, ensuring that every assessment drives value.

Ready to Get Started?

Don’t wait for an audit or a breach to find out your applications are vulnerable. Contact the MSI Testing Lab today and let’s talk about how we can help secure your software environment—before the attackers get there first.

 

 

* AI tools were used as a research assistant for this content.

Preparing for the End of SMS Authentication

Posted on by
Reply

Over the last several years, wealth management/asset management firms have been integrating their systems with banking, trading and other financial platforms. One of the largest challenges wealth management firms face, from a technology standpoint, is managing multi-factor authentication when connecting to the accounts of their clients. In the coming year to eighteen months, this is likely to get even more challenging as SMS-based authentication is phased out. 

Today, many financial web sites, applications and phone apps require the use of SMS one-time security verification codes to be sent via text to the user. This usually happens once the user has entered their login and password to the system, after which it triggers the credential to be sent to their mobile phone number on record. The user then inputs this code into a form on the system and it is verified, and if correct, allows the user to proceed to access the application. This is called two factor authentication/multi-factor authentication (“MFA”) and is one of the most common mechanisms for performing this type of user authorization.

The problem with this mechanism for regulating sign ins to applications is that the method of sending the code is insecure. Attackers have a variety of means of intercepting SMS text messages and thus defeating this type of authentication. Just do some quick Google searches and you’ll find plenty of examples of this attack being successful. You’ll also find regulatory guidance about ending SMS authentication from a variety of sources like NIST and various financial regulators around the world. 

The likely successor to SMS text message authentication is the authenticator app on user mobile devices and smartphones. These authenticator apps reside in encrypted storage on the user’s phone and when prompted, provide a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is setup and  the settings configured, it doesn’t need to communicate with the financial platform, and thus is significantly more difficult for attackers to compromise. Indeed, they must actually have the user’s device, or at the very least, access to the data that resides on it. This greatly reduces the risk of interception and mis-use of the codes in question, and increases the security of the user’s account with the financial institution.

This presents a significant problem, and opportunity, for wealth management firms. Transitioning their business processes from integrating with SMS-based authentication to authenticator apps can be a challenge on the technical level. Updates to the user interaction processes, for those firms that handle it manually, usually by calling the user and asking for the code, are also going to be needed. It is especially important, for these manual interactions, that some passphrase or the like is used, as banks, trading platforms and other financial institutions will be training their users to NEVER provide an authenticator app secret to anyone over the phone. Attackers leveraging social engineering are going to be the most prevalent form of danger to this authentication model, so wealth management firms must create controls to help assure their clients that they are who they say they are and train them to resist attackers pretending to be the wealth management firm. 

Technical and manual implementations of this form of authentication will prove to be an ongoing challenge for wealth management firms. We are already working with a variety of our clients, helping them update their processes, policies and controls for these changes. If your organization has been traditionally using SMS message authentication with your own clients, there is even more impetus to get moving on changes to your own processes. 

Let us know if we can be of service. You can reach out and have a no stress, no hassle discussion with our team by completing this web form. You can also give us a call anytime at 614-351-1237. We’d love to help! 

Mobile devices…innocent until proven guilty?

Posted on by

How many of us have been on Facebook, and laughed when a friend’s child posts “Child is my favorite!” after their parent left the table with their phone unlocked?

And who has had a friend – or been the friend – who left their phone at the table? Don’t laugh – try being the one who did that WITH the security team. (Guilty…)

Amusing anecdotes? Absolutely. Now, let’s imagine that mobile device is unlocked when it’s left unattended, and contains your corporate data…now what?

That’s where MDM – mobile device management – comes into play. There are a few things to consider when you’re planning your deployment:

  • Who will have access to corporate information on the device?
  • Will you allow people to use personal devices – BYOD – or restrict this to corporate assets?
  • What will you allow, and what do you want to prevent, with device access? Email only? Other resources? Will you allow attachments to be downloaded and stored on the device?
  • How important are remote wipe capabilities – think of the worst case scenario with a disgruntled employee at all levels, with access to your data?
  • What about geolocation capability? Do you want the ability to block access from certain areas of the world – and how easy will it be to fix this when the VP is in Hong Kong, and you’ve blocked APNIC? Do you want to be able to pinpoint the device’s location if it has been lost or stolen?
  • What platforms will you support? Android, iOS, others? Yes, there are other platforms…
  • Consider whether it makes sense to only allow mobile devices to access corporate data via a VPN? Depending on the sensitivity of your data, this may make sense for your scenario.

The majority of MDM vendors will support some or all of the feature set that you desire. Once you’ve weighed out your desired list, and chosen your vendor, there are a number of other factors to look at when considering your actual deployment. A few things to consider:

  • Back to the basics. Passwords – require devices, whether corporate or BYOD, to have a password and to change that password regularly.
  • Encryption. Again, another basic – devices that carry your corporate data should be encrypted.
  • Jailbroken, rooted, and otherwise compromised phones should not be allowed to access corporate data.
  • Require virus/malware protection, particularly for Android devices. Free solutions from well regarded vendors exist, so this is not an onerous requirement for employees.
  • Have valid, documented procedures for geolocation features – whether blocking access or locating devices. Include removal as well as deployment in those procedures – when the VP is back, you will want to remove the access to Hong Kong. And when an employee leaves your company, so should your ability to track their BYOD device.
  • Another item to have documented is your remote wipe or content removal process when a user leaves the company – willingly or not – or when a device is lost or stolen.
  • Decide what you will and will not allow in terms of software on a corporate device. Will you allow users to install Waze? Their favorite game? Define that line in advance, rather than closing the loop later.
  • Regularly audit your configuration, the device compliance, and any exceptions that have been granted. Are there changes that need to be made in light of emerging threats? Are there exceptions that are no longer required?

And remember to take a real vacation occasionally, and put that mobile device down, folks. Those nice people? They’re your family, friends, or others in your life outside of work.

Questions, comments? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

Pointers for Mobile App Certificate Pinning

Posted on by
6

We often get questions about Certificate Pinning in mobile applications. Many clients find the issue difficult to explain to other teams.

You can find really great write ups, and an excellent set of source code examples for fixing this issue – as well as explaining it – at this OWASP.org site.

At a super high level though, you basically want your mobile application to validate the SSL certificate of the specific server(s) that you want it to talk to, and REJECT any certificates that do not match the intended server certificate – REGARDLESS of whether or not the underlying OS trusts the alternative certificate.

This will go a long way to hardening the SSL communication streams between the app and the server, and will not permit easy interception or man-in-the-middle attacks via a network provider or hostile proxy server.

Updates to the app source code are needed to mitigate the issue, and you may need to update apps in the app stores, depending on the way your app is delivered.

As always, if you work with MSI on mobile app security reviews or application-specific penetration testing, we would be happy to demonstrate the attacks and suggested mitigations for any identified issue. Just let us know if you would like assistance.

As always, thanks for reading and I hope your team finds this useful.

Getting Smart with Mobile App GeoLocation to Fight Fraud

Posted on by
4

If your mobile application includes purchases with credit cards, and a pickup of the merchandise, then you should pay attention to this.

Recently, in our testing lab and during an intelligence engagement, we identified a fraud mechanism where stolen credit cards were being used via the mobile app in question, to fraudulently purchase goods. In fact, the attackers were selling the purchase of the goods as a service on auction and market sites on the dark web.

The scam works like this. The bad guys have stolen credit cards (track data, likely from dumps), which they use to make a purchase for their client remotely. The bad guys use their stolen track data as a card not present transaction, which is standard for mobile apps. The bad guys have access to huge numbers of stolen cards, so they can burn them at a substantial rate without impacting their inventory to a large extent. The bad guy’s customer spends $25 in bitcoins to get up to $100 in merchandise. The bad guy takes the order from the dark net, uses the mobile app to place the order, and then delivers the receipt and/or pickup information to the bad guys customer. The customer then walks into the retailer and shows the receipt for their mobile order, picking up the merchandise and leaving.

The bad guy gets paid via the bitcoins. For them, this is an extremely low risk way to convert stolen credit card info to cash. It is significantly less risky for them than doing physical card replication, ATM use or other conversion methods that have a requirement for physical interaction.

The bad guy’s customer gets paid by picking up the merchandise. They get up to $100 value for a cost of $25. They take on some risk, but if performed properly, the scam is low risk to them, or so they believe. In the odd event, they simply leave the store after making their demands for satisfaction. There is little risk of arrest or prosecution, it would seem, especially at the low rate of $100 – or at least that was how the bad guy was pitching it to their prospective customers…

The credit card issuer or the merchant gets stuck. They are out the merchandise and/or the money, depending on their location in the world, and the merchant agreement/charge back/PCI compliance issues they face.

Understanding the fraud and motivations of the bad guys is critical for securing the systems in play. Organizations could up their validation techniques and vigilance for mobile orders. They could add additional fraudulent transaction heuristics to their capability. They could also implement geo-location on the mobile apps as a control – i.e.. If the order is being physically placed on a device in Ukraine, and pick up is in New York, there is a higher level of risk associated with that transaction. Identifying ways  to leverage the sensors and data points from a mobile device, and rolling it into fraud detection heuristics and machine learning analytics is the next wave of security for some of these applications. We are pleased to be helping clients get there…

To hear more about modern fraud techniques, application security testing or targeted threat intelligence like what we discussed above, drop us a line (info at microsolved dot com) or via Twitter (@lbhuston). We look forward to discussing it with your team.

Involved in M&A Activity? MSI has a full M&A Practice

Posted on by
Reply

 

MSI’s specialized offerings around Mergers & Acquisitions are designed to augment other business practices that are common in this phase of business. In addition to general security consulting and intelligence about a company from a “hacker’s eye view”, we also offer deeply integrated, methodology-driven processes around:

  1. Pre-negotiation intelligence
    1. This offering is designed to help the purchasing organization do recon on their prospect for purchase. Leveraging techniques like passive assessment, restricted individual tracing, supply chain analysis, key stakeholder profiling and history of compromise research, the potential purchasing company can get deep insights into the security posture and intellectual property integrity of the company they are considering for acquisition. All of this can be done passively and prior to a purchasing approach or offer. Insights from this service can be a useful tool in assessing approach and potential valuation. 
  2. Pre-integration assessments 
    1. Once the ink on the paperwork is dry, the organizations have to learn to live and work together. One of the most critical links, is the joining of the two IT infrastructures. In this service, our experts can perform assessments to analyze the new company’s security posture against the baseline standards of the purchasing organization. A gap analysis and road map for compliance can be provided, and if desired, MSI can serve as oversight for ensuring that the mitigations are completed as a condition for network interconnection and integration. Our team has performed these services across a variety of M&A completions, including multi-national and global Fortune 500 organizations.
  3. Post-purchase threat intelligence 
    1. MSI can also create mechanisms post-purchase to identify and respond to potential threats from inside the newly acquired organization. Our counter-intelligence and operational security techniques can help organizations identify potential internal bad actors or disgruntled new employees that could be seeking to damage the acquirer. We have created these solutions across a myriad of verticals and are quite capable of working in international and other highly complex environments. 

To learn more about these specific offerings, click on the links above. To discuss these offerings in more detail, please contact your account executive for a free consultation.

Plus, we also just added some new capabilities for asset discovery, network mapping and traffic baselining. Check this out for some amazing new ways we can help you!

Never Store Anything on the Cloud that You Wouldn’t Want Your Mamma to See

Posted on by
Reply

It’s great now days, isn’t it?

You carry around devices with you that can do just about anything! You can get on the Internet and check your email, do your banking, find out what is new on Facebook, send a Tweet or a million other things. You can also take a picture, record a conversation, make a movie or store your work papers – and the storage space is virtually unlimited! And all this is just great as long as you understand what kind of risks this freedom poses to your privacy.

Remember that much of this stuff is getting stored on the cloud, and the only thing that separates your stuff from the general public is a user name, password and sometimes a security question. Just recently, a number of celebrities have complained that their photos (some of them explicit) have been stolen by hackers. These photos were stored in iCloud digital vaults, and were really very well defended by Apple security measures. But Apple wasn’t at fault here – it turns out that the celebrities themselves revealed the means to access their private stuff.

It’s called Phishing, and there are a million types of bait being used out there to fool or entice you. By clicking on a link in an innocent-looking email or answering a few simple questions, you can give away the keys to the kingdom. And even if you realize your mistake a couple of hours later, it is probably already too late to do anything about it. That naughty movie you made with your spouse during your romantic visit to Niagara Falls is already available from Peking to Panama!

Apple announced that they will soon start sending people alerts when attempts are made to change passwords, restore iCloud data to new devices or when someone logs in for the first time from new Apple devices. These are valuable controls, but really are only detective in nature and won’t actually prevent many data losses. That is why we recommend giving yourselves some real protection.

First, you should ensure that you educate yourself and your family about the dangers hackers and social engineers pose, and the techniques they use to get at your stuff. Second, it is really a lot better to store important or sensitive data on local devices if possible. But, if you must store your private data in the cloud, be sure it is well encrypted. Best of all, use some sort of good multi-part authentication technique to protect your stuff from being accessed easily by hackers. By that I mean something like a digital certificate or an RSA hard token – something you have or something you are, not just something you know.

If you do these things, then it’s a good bet your “special moments” won’t end up in your Momma’s inbox!

Thanks to John Davis for this post.

Ask The Security Experts: Mobile Policy

Posted on by
1

This time around, the experts offer insights on this question:

Q: “Dear Experts, what are the key things I need to keep in mind when I write my company’s mobile security policy?” — MK

John Davis starts us off with:

I would say the most important thing is to actually write your own policy; don’t just copy a generic mobile security policy from the Internet and adopt it as your own. For a mobile security policy to be effective, it needs to be tailored to meet your organizations particular information security requirements and also needs to reflect the reality of mobile device use at your organization. It won’t do you much good to forbid using mobile devices for business purposes if you have no mechanisms in place to prevent or detect such uses. Effective information security policy, like effective statute law, is both practical and enforceable.

Adam Hostetler added:

Keep in mind what kind of current security policies you have, and try to apply that to the mobile sphere. Users need to understand that they are connecting an additional computer to the network, and not just a “phone”. Keep in mind also what kind of deployment you are using. Is it bring your own device, or is it company provided? There will be different policies and procedures for each method and possible user backlash depending on how you are doing this.

As always, thanks to the experts for weighing in, and to the readers for the questions. Keep them coming!

Resources for Mobile Application Security

Posted on by
1

Mobile application security continues to be a hot topic within the information security community. With more and more employees expecting to use their own devices at their workplaces, IT departments are scrambling to develop the right approach for securing their data.

If you’re working on developing security policies or seeking ways to secure your mobile applications, you may find some of these resources helpful. Stay safe out there!